Created
February 9, 2017 22:27
-
-
Save alecmuffett/f06e05f51c6535673251947efd3310a0 to your computer and use it in GitHub Desktop.
EOTK demo-sample NGINX and Tor configs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- awk -*- | |
# eotk (c) 2017 Alec Muffett | |
# EMACS awk mode works quite well for nginx configs | |
# logs and pids | |
pid /Users/alecm/src/eotk/projects.d/digital-rights.d/nginx.pid; | |
error_log /Users/alecm/src/eotk/projects.d/digital-rights.d/log.d/nginx-error.log debug; | |
# performance | |
worker_processes 5; # hardmap | |
worker_rlimit_nofile 1024; | |
events { | |
worker_connections 1024; | |
} | |
http { | |
# dns for proxy (sigh) | |
resolver 8.8.8.8 valid=30s; # should be able to do `ipv6=off` here, but problems | |
resolver_timeout 30s; | |
proxy_buffering on; | |
proxy_buffers 16 64k; | |
proxy_buffer_size 64k; | |
proxy_busy_buffers_size 512k; | |
proxy_max_temp_file_size 2048k; | |
proxy_temp_file_write_size 64k; | |
proxy_temp_path "/tmp"; | |
# logs | |
access_log /Users/alecm/src/eotk/projects.d/digital-rights.d/log.d/nginx-access.log; | |
# global settings | |
server_tokens off; | |
# allow/deny (first wins) | |
allow "unix:"; | |
deny all; | |
# rewrite these content types; text/html is implicit | |
subs_filter_types | |
application/javascript | |
application/json | |
application/x-javascript | |
text/css | |
text/javascript | |
text/xml | |
; | |
# onion_lookup -> if cannot remap, return input. | |
init_by_lua_block { | |
slog = function (s) | |
ngx.log(ngx.ERR, "\n<<"..s..">>\n") | |
return | |
end | |
onion_mappings = {} | |
onion_mappings["kb467hi3e67xgiqp.onion"] = "openrightsgroup.org" | |
onion_mappings["znvntufbxpx2rrus.onion"] = "eff.org" | |
onion_mappings["orizrj3cl3meckpx.onion"] = "accessnow.org" | |
onion_mappings["5lwmoxrnytoa53lj.onion"] = "digitalrights.ie" | |
onion_lookup = function (o) | |
return ( onion_mappings[o[1]] or o[1] ) | |
end | |
onion_sub = function (i) | |
if i == nil then | |
return nil | |
end | |
local o, num, errs = ngx.re.gsub(i, "\\b([a-z2-7]{16}\\.onion)\\b", onion_lookup, "io") | |
return o | |
end | |
} | |
# subs filters | |
subs_filter \bopenrightsgroup.org\b kb467hi3e67xgiqp.onion ri; | |
proxy_cookie_domain openrightsgroup.org kb467hi3e67xgiqp.onion; | |
proxy_redirect ~*^(.*?)\bopenrightsgroup\.org\b(.*)$ $1kb467hi3e67xgiqp.onion$2; | |
subs_filter \beff.org\b znvntufbxpx2rrus.onion ri; | |
proxy_cookie_domain eff.org znvntufbxpx2rrus.onion; | |
proxy_redirect ~*^(.*?)\beff\.org\b(.*)$ $1znvntufbxpx2rrus.onion$2; | |
subs_filter \baccessnow.org\b orizrj3cl3meckpx.onion ri; | |
proxy_cookie_domain accessnow.org orizrj3cl3meckpx.onion; | |
proxy_redirect ~*^(.*?)\baccessnow\.org\b(.*)$ $1orizrj3cl3meckpx.onion$2; | |
subs_filter \bdigitalrights.ie\b 5lwmoxrnytoa53lj.onion ri; | |
proxy_cookie_domain digitalrights.ie 5lwmoxrnytoa53lj.onion; | |
proxy_redirect ~*^(.*?)\bdigitalrights\.ie\b(.*)$ $15lwmoxrnytoa53lj.onion$2; | |
# global proxy settings | |
proxy_read_timeout 30; | |
proxy_connect_timeout 30; | |
# SSL config | |
ssl_certificate /Users/alecm/src/eotk/projects.d/digital-rights.d/ssl.d/kb467hi3e67xgiqp.onion.cert; | |
ssl_certificate_key /Users/alecm/src/eotk/projects.d/digital-rights.d/ssl.d/kb467hi3e67xgiqp.onion.pem; | |
#ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES256'; ## LibreSSL, OpenSSL 1.1.0+ | |
ssl_ciphers 'EECDH+AESGCM:EECDH+AES256'; ## OpenSSL 1.0.1% to 1.0.2% | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 10m; | |
ssl_buffer_size 4k; | |
ssl_prefer_server_ciphers on; | |
ssl_ecdh_curve prime256v1; | |
#ssl_ecdh_curve secp384r1:prime256v1; ## NGINX nginx 1.11.0 and later | |
# websockets | |
map $http_upgrade $connection_upgrade { | |
default "upgrade"; | |
"" ""; | |
} | |
# for kb467hi3e67xgiqp.onion -> openrightsgroup.org | |
server { | |
# hardmap | |
# unix sockets; use <ONION_ADDRESS>.d as a naming convention | |
listen unix:/Users/alecm/src/eotk/projects.d/digital-rights.d/kb467hi3e67xgiqp.onion.d/port-80.sock; | |
listen unix:/Users/alecm/src/eotk/projects.d/digital-rights.d/kb467hi3e67xgiqp.onion.d/port-443.sock ssl; | |
# subdomain regexp captures trailing dot, use carefully | |
server_name | |
kb467hi3e67xgiqp.onion | |
~^(?<subdomain>.+\.)kb467hi3e67xgiqp\.onion$ | |
; | |
# for test & to help SSL certificate acceptance | |
location ~ ^/hello[-_]onion/?$ { | |
return 200 "Hello, Onion User!"; | |
} | |
# for traffic | |
location / { | |
proxy_pass "$scheme://${subdomain}openrightsgroup.org"; # note $scheme | |
proxy_http_version 1.1; | |
proxy_set_header Host "${subdomain}openrightsgroup.org"; | |
proxy_set_header Accept-Encoding ""; # but putting this in `http` fails? | |
proxy_set_header Connection $connection_upgrade; # SSL | |
proxy_set_header Upgrade $http_upgrade; # SSL | |
proxy_ssl_server_name on; # SSL | |
set_by_lua_block $referer2 { | |
return onion_sub(ngx.var.http_referer) | |
} | |
proxy_set_header Referer $referer2; | |
set_by_lua_block $origin2 { | |
return onion_sub(ngx.var.http_origin) | |
} | |
proxy_set_header Origin $origin2; | |
} | |
} | |
# for znvntufbxpx2rrus.onion -> eff.org | |
server { | |
# hardmap | |
# unix sockets; use <ONION_ADDRESS>.d as a naming convention | |
listen unix:/Users/alecm/src/eotk/projects.d/digital-rights.d/znvntufbxpx2rrus.onion.d/port-80.sock; | |
listen unix:/Users/alecm/src/eotk/projects.d/digital-rights.d/znvntufbxpx2rrus.onion.d/port-443.sock ssl; | |
# subdomain regexp captures trailing dot, use carefully | |
server_name | |
znvntufbxpx2rrus.onion | |
~^(?<subdomain>.+\.)znvntufbxpx2rrus\.onion$ | |
; | |
# for test & to help SSL certificate acceptance | |
location ~ ^/hello[-_]onion/?$ { | |
return 200 "Hello, Onion User!"; | |
} | |
# for traffic | |
location / { | |
proxy_pass "$scheme://${subdomain}eff.org"; # note $scheme | |
proxy_http_version 1.1; | |
proxy_set_header Host "${subdomain}eff.org"; | |
proxy_set_header Accept-Encoding ""; # but putting this in `http` fails? | |
proxy_set_header Connection $connection_upgrade; # SSL | |
proxy_set_header Upgrade $http_upgrade; # SSL | |
proxy_ssl_server_name on; # SSL | |
set_by_lua_block $referer2 { | |
return onion_sub(ngx.var.http_referer) | |
} | |
proxy_set_header Referer $referer2; | |
set_by_lua_block $origin2 { | |
return onion_sub(ngx.var.http_origin) | |
} | |
proxy_set_header Origin $origin2; | |
} | |
} | |
# for orizrj3cl3meckpx.onion -> accessnow.org | |
server { | |
# hardmap | |
# unix sockets; use <ONION_ADDRESS>.d as a naming convention | |
listen unix:/Users/alecm/src/eotk/projects.d/digital-rights.d/orizrj3cl3meckpx.onion.d/port-80.sock; | |
listen unix:/Users/alecm/src/eotk/projects.d/digital-rights.d/orizrj3cl3meckpx.onion.d/port-443.sock ssl; | |
# subdomain regexp captures trailing dot, use carefully | |
server_name | |
orizrj3cl3meckpx.onion | |
~^(?<subdomain>.+\.)orizrj3cl3meckpx\.onion$ | |
; | |
# for test & to help SSL certificate acceptance | |
location ~ ^/hello[-_]onion/?$ { | |
return 200 "Hello, Onion User!"; | |
} | |
# for traffic | |
location / { | |
proxy_pass "$scheme://${subdomain}accessnow.org"; # note $scheme | |
proxy_http_version 1.1; | |
proxy_set_header Host "${subdomain}accessnow.org"; | |
proxy_set_header Accept-Encoding ""; # but putting this in `http` fails? | |
proxy_set_header Connection $connection_upgrade; # SSL | |
proxy_set_header Upgrade $http_upgrade; # SSL | |
proxy_ssl_server_name on; # SSL | |
set_by_lua_block $referer2 { | |
return onion_sub(ngx.var.http_referer) | |
} | |
proxy_set_header Referer $referer2; | |
set_by_lua_block $origin2 { | |
return onion_sub(ngx.var.http_origin) | |
} | |
proxy_set_header Origin $origin2; | |
} | |
} | |
# for 5lwmoxrnytoa53lj.onion -> digitalrights.ie | |
server { | |
# hardmap | |
# unix sockets; use <ONION_ADDRESS>.d as a naming convention | |
listen unix:/Users/alecm/src/eotk/projects.d/digital-rights.d/5lwmoxrnytoa53lj.onion.d/port-80.sock; | |
listen unix:/Users/alecm/src/eotk/projects.d/digital-rights.d/5lwmoxrnytoa53lj.onion.d/port-443.sock ssl; | |
# subdomain regexp captures trailing dot, use carefully | |
server_name | |
5lwmoxrnytoa53lj.onion | |
~^(?<subdomain>.+\.)5lwmoxrnytoa53lj\.onion$ | |
; | |
# for test & to help SSL certificate acceptance | |
location ~ ^/hello[-_]onion/?$ { | |
return 200 "Hello, Onion User!"; | |
} | |
# for traffic | |
location / { | |
proxy_pass "$scheme://${subdomain}digitalrights.ie"; # note $scheme | |
proxy_http_version 1.1; | |
proxy_set_header Host "${subdomain}digitalrights.ie"; | |
proxy_set_header Accept-Encoding ""; # but putting this in `http` fails? | |
proxy_set_header Connection $connection_upgrade; # SSL | |
proxy_set_header Upgrade $http_upgrade; # SSL | |
proxy_ssl_server_name on; # SSL | |
set_by_lua_block $referer2 { | |
return onion_sub(ngx.var.http_referer) | |
} | |
proxy_set_header Referer $referer2; | |
set_by_lua_block $origin2 { | |
return onion_sub(ngx.var.http_origin) | |
} | |
proxy_set_header Origin $origin2; | |
} | |
} | |
# header purge | |
more_clear_headers "Age"; | |
more_clear_headers "Server"; | |
more_clear_headers "Via"; | |
more_clear_headers "X-From-Nginx"; | |
more_clear_headers "X-NA"; | |
more_clear_headers "X-Powered-By"; | |
more_clear_headers "X-Request-Id"; | |
more_clear_headers "X-Runtime"; | |
more_clear_headers "X-Varnish"; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- conf -*- | |
# eotk (c) 2017 Alec Muffett | |
# template note: | |
# we use TOR_DIR not PROJECT_DIR because relocation of softmaps | |
DataDirectory /Users/alecm/src/eotk/projects.d/digital-rights.d | |
ControlPort unix:/Users/alecm/src/eotk/projects.d/digital-rights.d/tor-control.sock | |
PidFile /Users/alecm/src/eotk/projects.d/digital-rights.d/tor.pid | |
Log info file /Users/alecm/src/eotk/projects.d/digital-rights.d/log.d/tor.log | |
SafeLogging 0 # noisy logging | |
HeartbeatPeriod 60 minutes | |
LongLivedPorts 80,443 | |
RunAsDaemon 1 | |
# use single onions | |
SocksPort 0 # have to disable this for single onions | |
HiddenServiceSingleHopMode 1 # yep, i want single onions | |
HiddenServiceNonAnonymousMode 1 # yes, really, honest, i swear | |
# hardmap for: openrightsgroup.org -> kb467hi3e67xgiqp.onion | |
HiddenServiceDir /Users/alecm/src/eotk/projects.d/digital-rights.d/kb467hi3e67xgiqp.onion.d | |
HiddenServicePort 80 unix:/Users/alecm/src/eotk/projects.d/digital-rights.d/kb467hi3e67xgiqp.onion.d/port-80.sock | |
HiddenServicePort 443 unix:/Users/alecm/src/eotk/projects.d/digital-rights.d/kb467hi3e67xgiqp.onion.d/port-443.sock | |
HiddenServiceNumIntroductionPoints 3 | |
# hardmap for: eff.org -> znvntufbxpx2rrus.onion | |
HiddenServiceDir /Users/alecm/src/eotk/projects.d/digital-rights.d/znvntufbxpx2rrus.onion.d | |
HiddenServicePort 80 unix:/Users/alecm/src/eotk/projects.d/digital-rights.d/znvntufbxpx2rrus.onion.d/port-80.sock | |
HiddenServicePort 443 unix:/Users/alecm/src/eotk/projects.d/digital-rights.d/znvntufbxpx2rrus.onion.d/port-443.sock | |
HiddenServiceNumIntroductionPoints 3 | |
# hardmap for: accessnow.org -> orizrj3cl3meckpx.onion | |
HiddenServiceDir /Users/alecm/src/eotk/projects.d/digital-rights.d/orizrj3cl3meckpx.onion.d | |
HiddenServicePort 80 unix:/Users/alecm/src/eotk/projects.d/digital-rights.d/orizrj3cl3meckpx.onion.d/port-80.sock | |
HiddenServicePort 443 unix:/Users/alecm/src/eotk/projects.d/digital-rights.d/orizrj3cl3meckpx.onion.d/port-443.sock | |
HiddenServiceNumIntroductionPoints 3 | |
# hardmap for: digitalrights.ie -> 5lwmoxrnytoa53lj.onion | |
HiddenServiceDir /Users/alecm/src/eotk/projects.d/digital-rights.d/5lwmoxrnytoa53lj.onion.d | |
HiddenServicePort 80 unix:/Users/alecm/src/eotk/projects.d/digital-rights.d/5lwmoxrnytoa53lj.onion.d/port-80.sock | |
HiddenServicePort 443 unix:/Users/alecm/src/eotk/projects.d/digital-rights.d/5lwmoxrnytoa53lj.onion.d/port-443.sock | |
HiddenServiceNumIntroductionPoints 3 | |
Aside: the "softmap" stuff is unfinished, but essentially will be OnionBalance support; near-identical Tor config files will be generated, with "ephemeral" Onion addresses that OnionBalance will scrape and present as a "cloud" of up-to-60 tor servers, each backed by an NGINX instance.
NIT: line 71 in nginx.conf, I should force lowercase before lookup.
TODO: add feature in config files for supplied URI path/roots to be blocked, inhibit access to logon (etc) if desired?
TODO: check server_name regexps are case-insensitive.
TODO: nginx.conf 142/152, check for null before setting Referer, or is that harmless. ISTR that Nginx drops empty headers? Fix in template if not.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The template for the NGINX config is at:
https://github.com/alecmuffett/eotk/blob/master/templates.d/nginx.conf.txt
Ditto, Tor:
https://github.com/alecmuffett/eotk/blob/master/templates.d/tor.conf.txt
Also, the config file which gave rise to this:
https://github.com/alecmuffett/eotk/blob/master/templates.d/demo.conf.txt - lines 56-61 inclusive